The primary purpose of this blog is to aid the occasional Google researcher in the field of computer forensics. The content may not be ground breaking or earth shattering, but simply a way to pass along what I hope is useful information.

Pages

Monday, July 16, 2012

I recently worked a case where I located some relevant information in a file called "searchhs.dat". This file was located in the users directory under "\AppData\Local\Microsoft\BingBar\Apps\
Search_6f21d9007fa34bc78d94309126de58f5\VersionIndependent" and "\AppData\LocalLow\Microsoft\Search Enhancement Pack\Search Box Extension\" (Note - this was on Windows 7).

The Bing Bar is a free add-on from Microsoft that integrates with Internet Explorer. For more information, read here. Users can search directly from the Bing Bar and the search terms are stored in the searchhs.dat file mentioned above.

A quick Google led me to two programs that had the ability to parse this file: sep-history-viewer and ESPv2. sep-history-viewer displays the record id, term length, search term, count and a time stamp of the last search. At this time, ESPv2 only displays the search terms.[Edit - as of 7/18/12, ESPv2 now supports record id, term length, count and time stamp in addition to the search terms]

Now it was time to dig deeper and verify the results with the raw data. I opened up the searchhs.dat file in HEX view and saw the URL entries. I did some quick research and was not able to locate the file format specification for the file. The author of ESPv2 kindly responded to an email and gave me the repeating header and record id.

However, the information I was really interested in verifying was the date. I (begrudgingly) installed the Bing Bar, fired up IE and did some testing. After running several searches and reviewing the file in HEX (using X-Ways) I was able to determine the location and format of the last searched for time stamp along with a few other things:

Black: Repeating header
Blue : Record ID
Yellow: Count - appears to increase each time the search term is used/selected
Red: UTC Date in 128 bit System Structure (decode works nicely to convert)
Purple: URL length

I have a feeling I am probably missing some posts/blogs/articles that were made on this, but thought I would add to the collection just in case. Remember - do not take my word as the "be all to end all" and test, test, test!